We need to ensure that the current user has permission to view/modify/create/delete before reading/writing from the database. This will be enforced with auth.Permissions#checkPermission. A call to checkPermission is added to each method; if the user doesn't have permission for the operation, checkPermission throws an auth.AuthorizationException.
There are descriptive Javadoc comments in the auth.Permissions class. Be sure to read them before starting.
Important: This needs to be done on the authorization branch.
Here are a few examples:
Deleting a user
public class UserData_Table extends InitDB implements Interface_UserData {
...
@Override
// AuthorizationException has been added to the "throws" list
public void removeUser(int uid) throws DoesNotExistException, AuthorizationException {
String table = "USERS";
// The field argument is null because we're operating on an entire row.
// We pass uid as the last argument because this operation affects another user.
Permissions.get().checkPermission(table, null, Operation.DELETE, uid);
...
}
...
}
public interface Interface_UserData {
...
// AuthorizationException has been added to the "throws" list
public void removeUser(int uid) throws DoesNotExistException, AuthorizationException;
...
}
Setting a task description
public class Tasks_Table extends InitDB implements Interface_TaskData {
...
// AuthorizationException has been added to the "throws" list
public void setDescription(int uid, String description) throws DoesNotExistException, AuthorizationException {
// Note that we DON'T pass uid; uid is just the ID of the current user in this case.
Permissions.get().checkPermission(tableName, "DESCRIPTION", Operation.MODIFY);
setDBString("DESCRIPTION", tableName, uid, description);
}
...
}
public interface Interface_TaskData {
...
// AuthorizationException has been added to the "throws" list
public void setDescription(int uid, String description) throws DoesNotExistException, AuthorizationException;
...
}
Viewing a task description
public class Tasks_Table extends InitDB implements Interface_TaskData {
...
// AuthorizationException has been added to the "throws" list
public String getDescription(int uid) throws DoesNotExistException, AuthorizationException {
// Note that we DON'T pass uid; uid is just the ID of the current user in this case.
Permissions.get().checkPermission(tableName, "DESCRIPTION", Operation.VIEW);
return getDBString("DESCRIPTION", tableName, uid, description);
}
...
}
public interface Interface_TaskData {
...
// AuthorizationException has been added to the "throws" list
public String getDescription(int uid) throws DoesNotExistException, AuthorizationException;
...
}
dewskii
commented
8 years ago
We need to ensure that the current user has permission to view/modify/create/delete before reading/writing from the database. This will be enforced with
auth.Permissions#checkPermission. A call to checkPermission is added to each method; if the user doesn't have permission for the operation, checkPermission throws anauth.AuthorizationException.There are descriptive Javadoc comments in the
auth.Permissionsclass. Be sure to read them before starting.Important: This needs to be done on the
authorizationbranch.Here are a few examples:
Deleting a user
Setting a task description
Viewing a task description